Bug 458341

Summary: KWallet/SecretService: Support "plain" algorithm for DBus communications
Product: [Frameworks and Libraries] frameworks-kwallet Reporter: michaelk83 <mk.mateng>
Component: generalAssignee: Valentin Rusu <valir>
Status: RESOLVED FIXED    
Severity: wishlist CC: CoelacanthusHex, fkrueger, kdelibs-bugs, nate, paterw00t, rdieter, saurabhmhatre54772
Priority: NOR    
Version: 5.97.0   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description michaelk83 2022-08-26 12:30:45 UTC
Based on https://invent.kde.org/frameworks/kwallet/-/issues/3

SUMMARY
KWallet introduced Secret Service API support in 5.97.0, but only using encrypted communication over DBus ("dh-ietf1024-sha256-aes128-cbc-pkcs7" algorthm). https://invent.kde.org/frameworks/kwallet/-/blob/master/src/runtime/kwalletd/kwalletfreedesktopservice.cpp#L265

Some applications use a hardcoded "plain" algorithm for secret transfer and the specification says: "It is strongly recommended that a service implementing this API support the plain algorithm."  
https://specifications.freedesktop.org/secret-service/latest/ch07s02.html

It would be awesome if "plain" would also be supported to support more applications.

SOFTWARE/OS VERSIONS
KDE Frameworks Version: 5.97.0
Comment 1 michaelk83 2022-08-26 12:37:00 UTC
That said, apps should generally use QtKeyChain or at least `libsecret` to communicate with the the Secret Service API, so this is more a matter of completeness and broader compatibility with existing apps.
Comment 2 Bug Janitor Service 2022-09-03 21:07:38 UTC
A possibly relevant merge request was started @ https://invent.kde.org/frameworks/kwallet/-/merge_requests/35
Comment 3 tgpski 2022-10-07 23:06:34 UTC
This change was either intentional or a regression. After upgrading KWallet today, I was locked out of my company VPN due to the plain algorithm being used in wallet communications between the VPN frontend and the keyring.

The upgrade today was from KWallet 5.96.0 to 5.98.0.

The plain algorithm support worked for versions 5.96 and lower. Therefore, a change to restrict this algorithm must have been introduced in 5.97.

Can we not revert this change?
Comment 4 tgpski 2022-10-07 23:06:49 UTC
This change was either intentional or a regression. After upgrading KWallet today, I was locked out of my company VPN due to the plain algorithm being used in wallet communications between the VPN frontend and the keyring.

The upgrade today was from KWallet 5.96.0 to 5.98.0.

The plain algorithm support worked for versions 5.96 and lower. Therefore, a change to restrict this algorithm must have been introduced in 5.97.

Can we not revert this change?
Comment 5 michaelk83 2022-10-08 11:40:24 UTC
(In reply to tgpski from comment #3)
> After upgrading KWallet today, I was locked out of my company VPN due to the plain algorithm
> being used in wallet communications between the VPN frontend and the keyring.
> 
> The upgrade today was from KWallet 5.96.0 to 5.98.0.

5.97 introduced Secret Service API support in KWallet, there was no Service Service support at all prior to that. The "plain" algorithm discussed here is specifically the "plain" algorithm for the Secret Service API, which was never implemented.

What I suspect in your case, is possibly the VPN client was using the Secret Service API to store its credentials in Gnome keyring. You can try disabling Secret Service support in the KWallet settings to see if that resolves your issue (you may need to kill the `kwalletd5` process or restart the PC for the change to take effect). If that doesn't help, you'll need to provide more details on the software you are using. But this is not likely to be related to this issue.
Comment 6 Nicolas Fella 2022-10-11 21:32:37 UTC
Git commit b9ada3a3c9a75e5244e55afa01eb3bf3c6f5c7f3 by Nicolas Fella, on behalf of Georg Kotheimer.
Committed on 11/10/2022 at 21:25.
Pushed by nicolasfella into branch 'master'.

Add support for plain transfer algorithm to Secret Service API

Move the secret transfer encryption and decryption logic from
KWalletFreedesktopSession to the newly introduced
KWalletFreedesktopSessionAlgorithm class, abstracting from the concrete
secret transfer algorithm in use.

M  +35   -29   src/runtime/kwalletd/kwalletfreedesktopservice.cpp
M  +5    -6    src/runtime/kwalletd/kwalletfreedesktopservice.h
M  +73   -26   src/runtime/kwalletd/kwalletfreedesktopsession.cpp
M  +34   -13   src/runtime/kwalletd/kwalletfreedesktopsession.h

https://invent.kde.org/frameworks/kwallet/commit/b9ada3a3c9a75e5244e55afa01eb3bf3c6f5c7f3